diff options
| author | Rémy Coutable <remy@gitlab.com> | 2016-09-28 12:42:33 +0300 |
|---|---|---|
| committer | Rémy Coutable <remy@rymai.me> | 2016-09-28 18:47:27 +0300 |
| commit | f006462d7b41381f83ba90463fc1b291034ee908 (patch) | |
| tree | ac055c2cf501c2950815108dad84f8f527842c28 /app | |
| parent | 62ead92ee808d32965b19128b529dce68d188f51 (diff) | |
Merge branch '18028-respect-fork-project' into 'security'
Enforce the fork_project permission in Projects::CreateService
Projects::ForkService delegates to this service almost entirely, but needed one small change so it would propagate create errors correctly.
CreateService#execute needs significant refactoring; it is now right at the complexity limit set by Rubocop. I avoided doing so in this commit to keep the diff as small as possible.
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/18028
See merge request !1996
Signed-off-by: Rémy Coutable <remy@rymai.me>
Diffstat (limited to 'app')
| -rw-r--r-- | app/services/projects/create_service.rb | 12 | ||||
| -rw-r--r-- | app/services/projects/fork_service.rb | 2 |
2 files changed, 14 insertions, 0 deletions
diff --git a/app/services/projects/create_service.rb b/app/services/projects/create_service.rb index 55956be2844..4ec975cf96c 100644 --- a/app/services/projects/create_service.rb +++ b/app/services/projects/create_service.rb @@ -16,6 +16,11 @@ module Projects return @project end + unless allowed_fork?(forked_from_project_id) + @project.errors.add(:forked_from_project_id, 'is forbidden') + return @project + end + # Set project name from path if @project.name.present? && @project.path.present? # if both name and path set - everything is ok @@ -72,6 +77,13 @@ module Projects @project.errors.add(:namespace, "is not valid") end + def allowed_fork?(source_project_id) + return true if source_project_id.nil? + + source_project = Project.find_by(id: source_project_id) + current_user.can?(:fork_project, source_project) + end + def allowed_namespace?(user, namespace_id) namespace = Namespace.find_by(id: namespace_id) current_user.can?(:create_projects, namespace) diff --git a/app/services/projects/fork_service.rb b/app/services/projects/fork_service.rb index de6dc38cc8e..90c72c4ceb1 100644 --- a/app/services/projects/fork_service.rb +++ b/app/services/projects/fork_service.rb @@ -17,6 +17,8 @@ module Projects end new_project = CreateService.new(current_user, new_params).execute + return new_project unless new_project.persisted? + new_project end |